Jump to content

NEED HELP after Windows Recovery Virus

Gissel

By Gissel
in Resolved Malware Removal Logs

 Share

Recommended Posts

Maniac

Maniac

Posted
Posted

Hello Gissel! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Your system is still infected and need to clean it before try to recover your files.

Please follow the instructions here:

www.bleepingcomputer.com/combofix/how-to-use-combofix#use

Post the log file when you are ready.

Link to post
Share on other sites
Gissel

Gissel

Posted
  • Author
Posted

Okay here is the log:

ComboFix 11-11-21.01 - Administrator 11/21/2011 12:07:48.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1746 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\data

c:\data\default\us_sres.data

c:\documents and settings\All Users\Application Data\4kpXS9dVeEclNG.exe

c:\documents and settings\All Users\Application Data\AyBceCwcCVrA.exe

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP

c:\windows\CSC\d6

c:\windows\dasetup.log

c:\windows\system32\0.4066833105063917.exe

c:\windows\system32\0.5190699028948886.exe

c:\windows\system32\0.8971592509152824.exe

c:\windows\system32\0.9199208730784909.exe

c:\windows\system32\Cache

c:\windows\system32\shimg.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_I386SI

-------\Legacy_PORT135SIK

.

.

((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))

.

.

2011-11-21 16:40 . 2011-11-21 17:19 -------- d-----w- c:\program files\GEEK SQUAD UPS

2011-11-21 16:40 . 2011-11-21 16:40 -------- d-----w- c:\program files\Common Files\Zero G Software

2011-11-21 15:07 . 2011-11-21 15:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2011-11-21 15:07 . 2011-11-21 15:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-11-21 14:47 . 2011-11-21 14:47 1324 ---ha-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2011-11-20 20:19 . 2011-11-20 20:19 -------- d-----w- C:\e

2011-11-18 23:05 . 2011-11-18 23:05 -------- d--h--w- c:\program files\Common Files\Software Update Utility

2011-11-18 20:39 . 2011-11-20 17:26 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2011-11-18 19:48 . 2011-11-21 16:54 -------- d--h--w- c:\documents and settings\gg

2011-11-18 18:09 . 2011-11-18 18:09 -------- d--h--w- c:\windows\PIF

2011-11-17 17:01 . 2006-02-07 20:40 204800 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll

2011-11-17 17:01 . 2006-02-07 20:40 69715 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll

2011-11-17 17:01 . 2006-02-07 20:40 274432 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll

2011-11-17 17:01 . 2005-11-14 04:19 5632 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe

2011-11-17 17:01 . 2011-11-17 17:01 331908 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll

2011-11-17 17:01 . 2011-11-17 17:01 200836 ---ha-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll

2011-11-17 16:39 . 2010-01-13 17:28 155648 ---ha-r- c:\windows\system32\igfxCoIn_v5218.dll

2011-11-17 16:20 . 2011-11-17 16:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Innovative Solutions

2011-11-17 16:20 . 2011-11-17 16:20 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Innovative Solutions

2011-11-17 15:37 . 2011-11-17 15:37 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\SlimWare Utilities Inc

2011-11-16 18:04 . 2011-11-16 18:04 -------- d--h--w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-11-16 18:04 . 2011-11-16 18:04 -------- d--h--w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-11-16 15:50 . 2011-11-16 15:50 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-11-16 15:50 . 2011-11-16 15:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-16 15:28 . 2011-11-16 15:28 361186 ---ha-w- c:\windows\system32\PerfStringBackup.TMP

2011-11-16 15:17 . 2011-11-16 15:13 35328 ---ha-w- c:\windows\system32\drivers\pcntpci5.sys

2011-11-16 15:17 . 2011-11-16 15:13 14208 ---ha-w- c:\windows\system32\drivers\battc.sys

2011-11-16 15:17 . 2011-11-16 15:13 13952 ---ha-w- c:\windows\system32\drivers\CmBatt.sys

2011-11-16 15:17 . 2011-11-16 15:13 10240 ---ha-w- c:\windows\system32\drivers\compbatt.sys

2011-11-16 15:03 . 2011-11-20 16:44 9216 ---ha-w- c:\windows\system32\Native.exe

2011-11-16 15:03 . 2011-11-16 15:20 -------- d-----w- C:\ReimageUndo

2011-11-16 14:50 . 2011-11-20 17:26 -------- d-----w- C:\rei

2011-11-16 14:49 . 2011-11-16 14:49 -------- d--h--w- c:\program files\Reimage

2011-11-16 14:42 . 2011-11-16 14:42 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-11-08 16:21 . 2011-11-08 16:21 -------- d--h--w- c:\program files\Bonjour

2011-11-07 22:08 . 2011-11-07 22:08 70144 --sha-r- c:\windows\system32\raschapl.dll

2011-10-31 18:41 . 2008-03-07 19:02 201728 ---ha-w- c:\windows\system32\DP667WUI.DLL

2011-10-31 18:41 . 2008-03-07 19:01 410624 ---ha-w- c:\windows\system32\DPORT667.DLL

2011-10-31 18:41 . 2008-03-07 19:02 311808 ---ha-w- c:\windows\system32\DP667WIA.DLL

2011-10-31 18:41 . 2011-10-31 18:44 -------- d--h--w- c:\program files\DocuCap

2011-10-31 18:16 . 2011-10-31 18:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\DocuCap

2011-10-24 19:29 . 2011-10-24 19:29 94208 ---ha-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29 . 2011-10-24 19:29 69632 ---ha-w- c:\windows\system32\QuickTime.qts

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 15:13 . 2008-08-08 06:48 221184 ---ha-w- c:\windows\system32\wmpns.dll

2011-11-16 15:13 . 2006-10-19 01:47 767488 ---h--w- c:\windows\system32\WMVSENCD.dll

2011-11-16 15:13 . 2006-10-19 01:47 656896 ---h--w- c:\windows\system32\WMVXENCD.dll

2011-11-16 15:13 . 2006-10-19 01:47 63488 ---h--w- c:\windows\system32\wpdmtpus.dll

2011-11-16 15:13 . 2006-10-19 01:47 629760 ---h--w- c:\windows\system32\wpd_ci.dll

2011-11-16 15:13 . 2006-10-19 01:47 38400 ---h--w- c:\windows\system32\wpdshextres.dll

2011-11-16 15:13 . 2006-10-19 01:47 35840 ---h--w- c:\windows\system32\wpdconns.dll

2011-11-16 15:13 . 2006-10-19 01:47 356352 ---h--w- c:\windows\system32\wpdsp.dll

2011-11-16 15:13 . 2006-10-19 01:47 2603008 ---h--w- c:\windows\system32\WpdShext.dll

2011-11-16 15:13 . 2006-10-19 01:47 154624 ---h--w- c:\windows\system32\wpdmtp.dll

2011-11-16 15:13 . 2006-10-19 01:47 1382912 ---h--w- c:\windows\system32\WMVSDECD.dll

2011-11-16 15:13 . 2006-10-19 01:47 133632 ---h--w- c:\windows\system32\WPDShServiceObj.dll

2011-11-16 15:13 . 2006-10-19 00:00 17408 ---h--w- c:\windows\system32\wpdshextautoplay.exe

2011-11-16 15:13 . 2006-10-19 01:47 4096 ---h--w- c:\windows\system32\WMVADVE.DLL

2011-11-16 15:13 . 2006-10-19 01:47 4096 ---h--w- c:\windows\system32\WMVADVD.dll

2011-11-16 15:13 . 2006-10-19 01:47 1575424 ---h--w- c:\windows\system32\WMVENCOD.dll

2011-11-16 15:13 . 2006-10-19 01:47 1543680 ---h--w- c:\windows\system32\WMVDECOD.dll

2011-11-16 15:13 . 2006-10-19 01:47 613376 ---h--w- c:\windows\system32\wmpmde.dll

2011-11-16 15:13 . 2006-10-19 01:47 204288 ---h--w- c:\windows\system32\wmpsrcwp.dll

2011-11-16 15:13 . 2006-10-19 01:47 130048 ---h--w- c:\windows\system32\wmpps.dll

2011-11-16 15:13 . 2004-08-11 21:00 99840 ---ha-w- c:\windows\system32\wmpshell.dll

2011-11-16 15:13 . 2004-08-11 21:00 8231936 ---ha-w- c:\windows\system32\wmploc.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\wmvdmoe2.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\wmvdmod.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\wmsdmoe2.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\wmsdmod.dll

2011-11-16 15:13 . 2004-08-11 21:00 1329152 ---ha-w- c:\windows\system32\WMSPDMOE.dll

2011-11-16 15:13 . 2006-10-19 01:58 8704 ---h--w- c:\windows\system32\wdfmgr.exe

2011-11-16 15:13 . 2006-10-19 01:58 8704 ---h--w- c:\windows\system32\uwdf.exe

2011-11-16 15:13 . 2006-10-19 01:47 535040 ---h--w- c:\windows\system32\wmdrmsdk.dll

2011-11-16 15:13 . 2006-10-19 01:47 348672 ---h--w- c:\windows\system32\wmdrmnet.dll

2011-11-16 15:13 . 2006-10-19 01:47 295936 ---h--w- c:\windows\system32\wmpeffects.dll

2011-11-16 15:13 . 2006-10-19 01:47 1661952 ---h--w- c:\windows\system32\wmpencen.dll

2011-11-16 15:13 . 2006-10-19 01:47 429056 ---h--w- c:\windows\system32\wmdrmdev.dll

2011-11-16 15:13 . 2006-10-19 01:47 4096 ---h--w- c:\windows\system32\wdfapi.dll

2011-11-16 15:13 . 2006-10-19 01:47 254976 ---h--w- c:\windows\system32\PortableDeviceApi.dll

2011-11-16 15:13 . 2006-10-19 01:47 199168 ---h--w- c:\windows\system32\PortableDeviceWMDRM.dll

2011-11-16 15:13 . 2006-10-19 01:47 166912 ---h--w- c:\windows\system32\PortableDeviceTypes.dll

2011-11-16 15:13 . 2006-10-19 01:47 132096 ---h--w- c:\windows\system32\PortableDeviceWiaCompat.dll

2011-11-16 15:13 . 2006-10-19 01:47 101888 ---h--w- c:\windows\system32\PortableDeviceClassExtension.dll

2011-11-16 15:13 . 2004-08-11 21:00 938496 ---ha-w- c:\windows\system32\WMNetMgr.dll

2011-11-16 15:13 . 2004-08-11 21:00 757248 ---ha-w- c:\windows\system32\WMADMOD.dll

2011-11-16 15:13 . 2004-08-11 21:00 414720 ---ha-w- c:\windows\system32\msscp.dll

2011-11-16 15:13 . 2004-08-11 21:00 37376 ---ha-w- c:\windows\system32\wmdmps.dll

2011-11-16 15:13 . 2004-08-11 21:00 33792 ---ha-w- c:\windows\system32\wmdmlog.dll

2011-11-16 15:13 . 2004-08-11 21:00 321536 ---ha-w- c:\windows\system32\mswmdm.dll

2011-11-16 15:13 . 2004-08-11 21:00 227328 ---ha-w- c:\windows\system32\wmerror.dll

2011-11-16 15:13 . 2004-08-11 21:00 222208 ---ha-w- c:\windows\system32\WMASF.dll

2011-11-16 15:13 . 2004-08-11 21:00 211456 ---ha-w- c:\windows\system32\wmpasf.dll

2011-11-16 15:13 . 2004-08-11 21:00 157184 ---ha-w- c:\windows\system32\wmidx.dll

2011-11-16 15:13 . 2004-08-11 21:00 1117696 ---ha-w- c:\windows\system32\WMADMOE.dll

2011-11-16 15:13 . 2004-08-11 21:00 27136 ---ha-w- c:\windows\system32\mspmsnsv.dll

2011-11-16 15:13 . 2004-08-11 21:00 179712 ---ha-w- c:\windows\system32\msnetobj.dll

2011-11-16 15:13 . 2004-08-11 21:00 175616 ---ha-w- c:\windows\system32\mspmsp.dll

2011-11-16 15:13 . 2004-08-11 21:00 916480 ---ha-w- c:\windows\system32\wininet.dll

2011-11-16 15:13 . 2004-08-11 21:00 420352 ---ha-w- c:\windows\system32\vbscript.dll

2011-11-16 15:13 . 2004-08-11 21:00 211456 ---ha-w- c:\windows\system32\qasf.dll

2011-11-16 15:13 . 2006-10-19 01:47 671232 ---h--w- c:\windows\system32\drivers\UMDF\wpdmtpdr.dll

2011-11-16 15:13 . 2006-10-19 01:47 317440 ---h--w- c:\windows\system32\MP4SDECD.dll

2011-11-16 15:13 . 2006-10-19 01:47 259072 ---h--w- c:\windows\system32\MPG4DECD.dll

2011-11-16 15:13 . 2006-10-19 01:47 259072 ---h--w- c:\windows\system32\MP43DECD.dll

2011-11-16 15:13 . 2006-10-19 01:47 212992 ---h--w- c:\windows\system32\MFPLAT.dll

2011-11-16 15:13 . 2006-10-19 01:47 276992 ---h--w- c:\windows\system32\audiodev.dll

2011-11-16 15:13 . 2006-10-19 00:05 232448 ---h--w- c:\windows\system32\l3codecp.acm

2011-11-16 15:13 . 2006-10-19 00:00 249856 ---h--w- c:\windows\system32\drmupgds.exe

2011-11-16 15:13 . 2006-10-19 00:00 38528 ---ha-w- c:\windows\system32\drivers\wpdusb.sys

2011-11-16 15:13 . 2004-08-11 21:00 991744 ---ha-w- c:\windows\system32\drmv2clt.dll

2011-11-16 15:13 . 2004-08-11 21:00 7168 ---ha-w- c:\windows\system32\asferror.dll

2011-11-16 15:13 . 2004-08-11 21:00 542720 ---ha-w- c:\windows\system32\blackbox.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\MPG4DMOD.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\MP4SDMOD.dll

2011-11-16 15:13 . 2004-08-11 21:00 4096 ---ha-w- c:\windows\system32\MP43DMOD.dll

2011-11-16 15:13 . 2004-08-11 21:00 229376 ---ha-w- c:\windows\system32\cewmdm.dll

2011-11-16 15:13 . 2004-08-11 21:00 11264 ---ha-w- c:\windows\system32\LAPRXY.dll

2011-11-16 15:13 . 2004-08-11 21:00 100864 ---ha-w- c:\windows\system32\logagent.exe

2011-11-16 15:13 . 2004-08-11 21:00 43008 ---ha-w- c:\windows\system32\licmgr10.dll

2011-11-16 15:13 . 2004-08-11 21:00 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl

2011-11-16 15:13 . 2004-08-11 21:00 385024 ---ha-w- c:\windows\system32\html.iec

2011-11-16 15:03 . 2004-08-11 21:00 2145280 ---ha-w- c:\windows\system32\ntoskrnl.exe

2011-11-16 15:03 . 2004-08-04 02:59 2023936 ---ha-w- c:\windows\system32\ntkrnlpa.exe

2011-10-10 14:22 . 2004-08-11 21:12 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-11 21:00 599040 ---ha-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2007-10-09 17:03 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll

2011-08-31 04:05 . 2011-08-31 04:05 83816 ---ha-w- c:\windows\system32\dns-sd.exe

2011-08-31 04:05 . 2011-08-31 04:05 73064 ---ha-w- c:\windows\system32\dnssd.dll

2011-08-31 04:05 . 2011-08-31 04:05 50536 ---ha-w- c:\windows\system32\jdns_sd.dll

2011-08-31 04:05 . 2011-08-31 04:05 178536 ---ha-w- c:\windows\system32\dnssdX.dll

2011-04-14 18:01 . 2010-11-17 16:23 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2011-11-16 15:16 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2011-11-16 15:13 . 051B1BDECD6DEE18C771B5D5EC7F044D . 27136 . . [11.0.5721.5262] . . c:\windows\system32\mspmsnsv.dll

[7] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2011-03-04 01:52 762000 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2011-03-04 01:52 762000 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2011-03-04 01:52 762000 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ---ha-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ---ha-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ---ha-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerPanel Personal Edition User Interaction"="c:\program files\GEEK SQUAD UPS\pppeuser.exe" [2007-03-10 270336]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^DocketSCAN II.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\DocketSCAN II.lnk

backup=c:\windows\pss\DocketSCAN II.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^rncsys32.exe]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\rncsys32.exe

backup=c:\windows\pss\rncsys32.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

~ [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-06-14 00:41 69632 ---ha-w- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]

2004-02-19 09:23 61440 ---ha-w- c:\dell\bldbubg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]

2011-03-04 01:52 948880 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2010-01-28 18:27 173592 ---ha-r- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-10-15 02:17 49152 ---ha-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2010-01-28 18:27 141336 ---ha-r- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-09-11 08:40 218032 ---ha-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-11 14:50 20992 ---h--w- c:\windows\LOGI_MWX.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2010-01-28 18:27 142360 ---ha-r- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-09-06 20:09 413696 ---ha-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-06-14 00:41 16132608 ---ha-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 16:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"sftvsa"=3 (0x3)

"sftlist"=2 (0x2)

"osppsvc"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"MSK80Service"=2 (0x2)

"McciCMService"=2 (0x2)

"LVPrcSrv"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"gupdate1c9991aa2c01dce"=2 (0x2)

"cvhsvc"=2 (0x2)

"Bonjour Service"=2 (0x2)

"MOBKbackup"=2 (0x2)

"mfevtp"=2 (0x2)

"mfefire"=2 (0x2)

"McShield"=2 (0x2)

"McProxy"=2 (0x2)

"McODS"=3 (0x3)

"McNASvc"=2 (0x2)

"McNaiAnn"=2 (0x2)

"mcmscsvc"=2 (0x2)

"McMPFSvc"=2 (0x2)

"McComponentHostService"=3 (0x3)

"McAfee SiteAdvisor Service"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\Program Files\\att-nap\\McciBrowser.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/17/2010 11:25 AM 54776]

R2 ISD;Intel® 82802 Firmware Hub Device (Intel® Security Driver);c:\windows\system32\drivers\ISECDRV.SYS [3/3/2009 11:06 AM 32108]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 5:02 PM 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 4:06 PM 32272]

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 4:29 PM 36880]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\Administrator\Desktop\SAP\SUPERAntiSpyware\SASDIFSV.SYS --> c:\documents and settings\Administrator\Desktop\SAP\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\Administrator\Desktop\SAP\SUPERAntiSpyware\SASKUTIL.SYS --> c:\documents and settings\Administrator\Desktop\SAP\SUPERAntiSpyware\SASKUTIL.SYS [?]

S2 MOBCleanup;MOBCleanup;"c:\docume~1\ADMINI~1\LOCALS~1\Temp\MOBCleanup.exe" --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\MOBCleanup.exe [?]

S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys --> c:\windows\system32\drivers\hpfxfax.sys [?]

S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 581480]

S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209640]

S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]

S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S4 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [10/20/2010 2:23 PM 821664]

S4 gupdate1c9991aa2c01dce;Google Update Service (gupdate1c9991aa2c01dce);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

S4 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S4 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [9/14/2010 4:46 AM 508264]

S4 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [9/14/2010 4:46 AM 219496]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ---h--w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-21 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

2011-11-18 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

.

2011-09-18 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.254

DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab

DPF: {E9B80D94-D8BB-43CC-9138-75605A8D9666} - hxxp://aolsvc.aol.com/onlinegames/free-trial-wedding-dash/WeddingDash.1.0.0.50.cab

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

HKLM-Run-AyBceCwcCVrA.exe - c:\documents and settings\All Users\Application Data\AyBceCwcCVrA.exe

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\documents and settings\Owner\Desktop\SAP\SUPERAntiSpyware\SASSEH.DLL

Notify-!SASWinLogon - c:\documents and settings\Owner\Desktop\SAP\SUPERAntiSpyware\SASWINLO.DLL

MSConfigStartUp-18297344 - c:\documents and settings\All Users\Application Data\18297344\18297344.exe

MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

MSConfigStartUp-Aim - c:\program files\AIM\aim.exe

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

MSConfigStartUp-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe

MSConfigStartUp-DriverUpdate - c:\documents and settings\Administrator\Desktop\DriverUpdate\DriverUpdate.exe

MSConfigStartUp-Gamevance - c:\program files\Gamevance\gamevance32.exe

MSConfigStartUp-HPUsageTracking - c:\program files\HP\HP UT\bin\hppusg.exe

MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam\Quickcam.exe

MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe

MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe

MSConfigStartUp-Owner - c:\documents and settings\Owner\Owner.exe

MSConfigStartUp-PDF3 Registry Controller - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe

MSConfigStartUp-PDVDDXSrv - c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe

MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe

MSConfigStartUp-SmartSoft PDF Printer Agent - c:\program files\Smart PDF Converter Pro\sspdfagent.exe

MSConfigStartUp-SmartSoft PDF Printer virtual printer agent - c:\program files\Smart PDF Converter Pro\sspdfagent.exe

MSConfigStartUp-SweetIM - c:\program files\SweetIM\Messenger\SweetIM.exe

MSConfigStartUp-ToolBoxFX - c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe

MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe

MSConfigStartUp-ttool - c:\windows\9129837.exe

AddRemove-Carbonite Backup - c:\program files\Carbonite\Carbonite Backup\CarboniteSetup.exe

AddRemove-{27C467F8-F8EF-4f68-BD72-D63632B2096C} - c:\program files\McAfeeMOBK\MozyUninstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-21 12:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Hitachi_HDS721680PLA380 rev.P21OABNA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A92F2C6

user & kernel MBR OK

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,70,a8,08,bf,e4,1a,40,b0,2a,4a,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,70,a8,08,bf,e4,1a,40,b0,2a,4a,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1056)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'lsass.exe'(1116)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(2872)

c:\windows\system32\WININET.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\program files\McAfee Online Backup\MOBKshell.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\program files\GEEK SQUAD UPS\ppped.exe

.

**************************************************************************

.

Completion time: 2011-11-21 12:33:10 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-21 17:33

.

Pre-Run: 49,546,006,528 bytes free

Post-Run: 48,554,389,504 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 62A9CD18A19F9A744A0096A1B7FB023A

Link to post
Share on other sites
Gissel

Gissel

Posted
  • Author
Posted

Is it supposed to take a very long time? Whenever I put in a URL it seems stuck on the "Performing URL Submission" page

Please visit www.virustotal.com and upload one by one the following files:

c:\windows\system32\Native.exe

c:\windows\system32\raschapl.dll

c:\windows\system32\DP667WUI.DLL

When the scan finished copy/paste the links here.

Link to post
Share on other sites
  • 2 weeks later...
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.